MidnightBSD

Advisories for rbi

CVE-2025-62642

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has an "Anyone Can Join This Party" signup API that does not verify user account creation, allowing a remote unauthenticated attacker to create a user account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62643

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 transmits passwords of user accounts in cleartext e-mail messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 3.4 LOW CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62644

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 3.1 1.4

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62645

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 9.9 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 3.1 6.0

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62646

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N 3.1 1.4

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62647

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N 3.1 1.4

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62648

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adjust Drive Thru speaker audio volume.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L 3.1 2.7

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62649

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for submission of equipment orders.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62650

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L 3.9 3.7

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *
CVE-2025-62651

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
rbi restaurant_brands_international_assistant *